The Public Eye with Eric Chabrow

GOP Platform Suggests 'Hack Back' a Suitable Cyber Defense

Some Cybersecurity Experts Say Plank Encourages 'Cowboy' Justice
GOP Platform Suggests 'Hack Back' a Suitable Cyber Defense

The Republican Party platform seems to endorse the "hack back" concept, or the right of a private enterprise or individual to retaliate against cyberattackers.

See Also: Beyond the Breach: ISO/IEC 27001 - The Shield Against Cyber Catastrophe

The platform - adopted this week at the Republican convention in Cleveland that nominated Donald Trump for president - does not specifically mention the term hack back, but states: "We ... make clear that users have a self-defense right to deal with hackers as they see fit."

It shouldn't be surprising that the platform - characterized by The New York Times as "the most extreme Republican platform in memory" - would favor a tactic that has fallen out of favor with the vast majority of cybersecurity experts, lawmakers - including Republicans - and policymakers. Many on the far right that helped shape the platform champion a do-it-yourself attitude toward defense combined with a deep mistrust of government.

"It's crazy," Jody Westby, chief executive of the cyber-risk advisory firm Global Cyber Risk, says of the platform's "as-they-see-fit" provision. "This notion that people could just be cowboys is very risky for them. It can actually deter, defeat investigations because often data is damaged or destroyed in the [hack back] process and very few people are skilled to do this."

Vigilante Justice?

Cybersecurity expert and author Bruce Schneier characterizes the hack back approach as vigilante justice. Though hacking back could "feel so good," Schneier says, it's "truly crazy."

First, he says, attribution for a hacker attack is difficult, and the wrong party could be victimized, such as a business whose computers were secretly commandeered by the hacker. Second, the United States eschews vigilante justice for a good reason: "We actually don't want citizens to deal with criminals as they see fit," he says. "That's called anarchy, and it's bad.

"If you walk by your neighbor's house, look in his window, and see the thing he stole from you yesterday, you're not allowed to break into his house and take it back. That's the law. There's a real reason why we let the police and the justice system handle this."

Schneier also raised several rhetorical questions based on the vagueness of the platform position. Can "as they see fit" include firebombing a building or hacking a car to make it crash to revenge a hack?

Westby contends some forensic security companies advocate the hack back approach to try to "show that they have the cowboy skills. But we're not the Wild West. ... Individuals and companies that try to engage in active defense run a very high risk that they're violating criminal laws themselves and putting great risk on themselves, far more risk than the attackers bring to their organization."

I queried the Republican convention press office, seeking an explanation of why the platform endorses a "self-defense" approach to cybersecurity. But the party did not offer an immediate response.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.